Slowloris DDoS tool used by Anonymous hacked to include Zeus trojan

The hackers were hacked.

Is turnabout fair play? A handful of Anons have found themselves on the wrong end of a hack in the wake of the US government takedown of Megaupload. On January 20, just one day after Megaupload founder Kim Dotcom was arrested in New Zealand, an unknown attacker slipped code from the infamous Zeus Trojan into the slowloris tool used by members of Anonymous to carry out DDoS attacks on websites that have drawn their ire. As a result, many of those who participated in DDoS attacks targeted at the US Department of Justice, music label UMG, and whitehouse.gov also had their own PCs compromised.

Security firm Symantec details how some Anons ended up with Zeus on their systems. After modifying the Slowloris source to include code for the Zeus trojan on January 20, the attacker changed a couple of Pastebin guides used to bring would-be DDoSers up to speed to show a new URL for downloading the Slowloris tool.

Each time Slowloris was downloaded and launched after the 20th of January, a Zeus botnet client was installed too. The Zeus client then stealthily downloaded a "clean" version of Slowloris to replace the modified copy in an attempt to conceal its existence on the infected PC. In the meantime, the Zeus trojan did its usual dirty work: capturing passwords and cookies, as well as banking and webmail credentials, and sending them off to a command-and-control server.

Symantec's research shows the modified version of Slowloris was widely downloaded. "This Anonymous DoS tool on PasteBin has become quite popular among the Anonymous movement with more than 26,000 views and 400 tweets referring to the post," noted Symantec's official blog.

The compromised version of Slowloris is no longer linked to on Pastebin: it appears that coverage of the shenanigans pulled on Anonymous has resulted in what looks to be a link to the correct verison of Slowloris being restored to the Pastebin guide.

Having Zeus installed on one's PC is absolutely no fun at all, so those who have downloaded the compromised version of Slowloris are going to have their hands full trying to hunt down and eradicate the trojan. Indeed, we see a number of clean OS installs in the immediate future for those who participated in DDoS attacks after the Megaupload takedown.

Eric Bangeman
Eric has been using personal computers since 1980 and writing about them at Ars Technica since 2003, where he currently serves as Managing Editor. Twitter@ericbangeman

No, becuase comparing activism that you get no financial gain from but only risk to yourself to thievery for financial gain are so non comparable it's laughable.

That's like saying two people cross a street, one to get to a protest to volunteer their time and the other to rob a bank and claiming they are one and the same becuase they used the same street to get there before they deviated on their separate ways.

Turnabout means a reversal of a concept back on the originator. Stealing banking passwords for fraud is not what they did, a turnabout would be them getting the tool used on themselves. As a writer you should understand the definitions of the words you use, otherwise it's spin, plain and simple.

It wouldn't surprise me if a law enforcement agency had a hand in this -- With the C&C servers located at a .gov address. I bet all of a sudden a lot of Anon's are feeling very exposed right about now.

You might want to re-examine your self-described total lack of sympathy for those who selflessly fight oppression and censorship on your behalf (even if you are too ignorant to appreciate it or even recognize it) before karma snaps your chord.

But any time the target of a malware isn't specifically mentioned, it's quite safe to assume it's Windows.

Ilyushin wrote:

at least attempt to be real journalists.as for "anonymous"... who cares.

"I see an article I don't care to read, then read it anyways and complain about how I didn't care to read it"

Back on topic: I had a feeling this would happen. It is far too easy to get the sort of youngsters who make up Anon's largest demographic to act too quickly and carelessly. They're naive and enthusiastic and perfect victims of their own collective anonymity.

Booby-trapped skiddie tools have been around as long as the internet, but now we have VirusTotal, learn to love it if you're going to be downloading anonymously-provided tools

You might want to re-examine your self-described total lack of sympathy for those who selflessly fight oppression and censorship on your behalf (even if you are too ignorant to appreciate it or even recognize it) before karma snaps your chord.

Yeah he's "ignorant" for not buying into your big steaming pile of BS....or maybe it's the other way around?

You might want to re-examine your self-described total lack of sympathy for those who selflessly fight oppression and censorship on your behalf (even if you are too ignorant to appreciate it or even recognize it) before karma snaps your chord.

So you're saying I can become a selfless oppression fighter too with just a few clicks of my mouse, requiring 0 effort, personal risk, and investment? Man, it really doesn't take much these days.

Please, spare me the glorification of people who are basically less than script kiddies "fighting censorship and oppression" by clicking buttons for the noble and just cause or preserving our right to pirate media.

You might want to re-examine your self-described total lack of sympathy for those who selflessly fight oppression and censorship on your behalf (even if you are too ignorant to appreciate it or even recognize it) before karma snaps your chord.

The problem with Anonymous is that due to its decentralized nature, anything can happen under its banner. So yes, I supported thier actions against child pornographers. I support what they did to the Syrian government. These are good things. But lashing out about Julian Assad? Striking back for taking down MegaUpload? Those are temper tantrums.

Due to the seemingly capricious nature of their activities, I don't feel a ton of sympathy even if sometimes they do things I agree with. On balance, they do a lot of stuff that is just not supportable to me.

You might want to re-examine your self-described total lack of sympathy for those who selflessly fight oppression and censorship on your behalf (even if you are too ignorant to appreciate it or even recognize it) before karma snaps your chord.

Yeah he's "ignorant" for not buying into your big steaming pile of BS....or maybe it's the other way around?

Ignorance is a lack of awareness, which is not the same as the denial of truth you're promoting.

PENGUINKK wrote:

So you're saying I can become a selfless oppression fighter too with just a few clicks of my mouse, requiring 0 effort, personal risk, and investment? Man, it really doesn't take much these days.

Please, spare me the glorification of people who are basically less than script kiddies "fighting censorship and oppression" by clicking buttons for the noble and just cause or preserving our right to pirate media.

No, I'm not saying you can do anything. I wouldn't want to make assumptions about your competence level based solely on your inability to first become informed on topics you comment on, your jaded view of modern protestors and your admission to having done nothing yourself to fight oppression so far.Stop putting words in my mouth.

reflex-croft wrote:

The problem with Anonymous is that due to its decentralized nature, anything can happen under its banner. So yes, I supported thier actions against child pornographers. I support what they did to the Syrian government. These are good things. But lashing out about Julian Assad? Striking back for taking down MegaUpload? Those are temper tantrums.

It's Assange. And supporting Wikileaks is hardly "lashing out", and the MegaUpload debacle is for more complex than a temper tantrum.

reflex-croft wrote:

Due to the seemingly capricious nature of their activities, I don't feel a ton of sympathy even if sometimes they do things I agree with. On balance, they do a lot of stuff that is just not supportable to me.

That's what is so great about their decentralized nature, no one has to take part in ops they don't support.

Due to the seemingly capricious nature of their activities, I don't feel a ton of sympathy even if sometimes they do things I agree with. On balance, they do a lot of stuff that is just not supportable to me.

That's what is so great about their decentralized nature, no one has to take part in ops they don't support.

But I guess since they are just fighting oppression and censorship, there's no reason anyone wouldn't support the ops, unless their ignorant.Right, dumbass troll?.

So whoever's running the Zeus server can take their time analysing all the linkages between all the people who've been involved in recent DDoS attacks, reading their emails and other communications, and then issue arrest warrants?

I think it may be a little more complicated than that, given the need for search warrants to get the information that Zeus would provide. But I wouldn't be surprised if it were used as "backgrounding" to figure out who needs to be investigated more closely.

Due to the seemingly capricious nature of their activities, I don't feel a ton of sympathy even if sometimes they do things I agree with. On balance, they do a lot of stuff that is just not supportable to me.

That's what is so great about their decentralized nature, no one has to take part in ops they don't support.

But I guess since they are just fighting oppression and censorship, there's no reason anyone wouldn't support the ops, unless their ignorant.Right, dumbass troll?.

Instead of guessing, you could try the google or search relevant articles here on Ars. You might want to look up "ignorant" and "troll" as well, once you master grammer and spelling.It's they're, as in the conjunction of "they are". But you can own your own ignorance with the possesive if you insist. Right?

As for the story itself, whether Anonymous is right or wrong, this sort of thing was bound to happen eventually. I somewhat pity the younger ones, as they may actually assume "ops" are all fun and games that they can join with impunity. Of course, this may not be direct retaliation for anything in particular.

The problem with Anonymous is that due to its decentralized nature, anything can happen under its banner. So yes, I supported thier actions against child pornographers. I support what they did to the Syrian government. These are good things. But lashing out about Julian Assad? Striking back for taking down MegaUpload? Those are temper tantrums.

It's Assange. And supporting Wikileaks is hardly "lashing out", and the MegaUpload debacle is for more complex than a temper tantrum.

DDoSing and internet vandalism is not a complex or nuanced response to anything.

No, becuase comparing activism that you get no financial gain from but only risk to yourself to thievery for financial gain are so non comparable it's laughable.

That's like saying two people cross a street, one to get to a protest to volunteer their time and the other to rob a bank and claiming they are one and the same becuase they used the same street to get there before they deviated on their separate ways.

Turnabout means a reversal of a concept back on the originator. Stealing banking passwords for fraud is not what they did, a turnabout would be them getting the tool used on themselves. As a writer you should understand the definitions of the words you use, otherwise it's spin, plain and simple.

strange, people who had their PSN accounts compromised or victims of lulzsec probably don't agree with you on what anonymous does.

You might want to re-examine your self-described total lack of sympathy for those who selflessly fight oppression and censorship on your behalf (even if you are too ignorant to appreciate it or even recognize it) before karma snaps your chord.

LOL! Thanks for the laugh there guy..... wait. You were serious weren't you? Holy shit.

You might want to re-examine your self-described total lack of sympathy for those who selflessly fight oppression and censorship on your behalf (even if you are too ignorant to appreciate it or even recognize it) before karma snaps your chord.

LOL! Thanks for the laugh there guy..... wait. You were serious weren't you? Holy shit.

I merely observed the irony of professing to have no sympathy and invoking karma in the same statement, but I don't think "serious" is part of the equation. You must have very delicate sensibilities if this was a holy shit moment for you.

Arthmoor wrote:

I have one word to describe this: Justice.

Inhibiting Anonymous' efforts to draw attention to oppression and censorship is better described as: Obstruction of Justice.

Do you actually have something coherent to say, or is shouting "Troll!" from the rooftop in hopes of drowning out actual rebuttals your tactic now?

You and others have come in here and made snarky, ill-thought out regurgitations of Fox news snippets as personal attacks against Anon, and called me names personally, and when I point this irony out, I'm the troll?In fact, every single comment you have made in this thread so far has been to call me a troll or agree with someone for doing the same, with the sole exception of calling an observation of mine a "steaming pile of BS", and I'm the troll?I don't fucking think so.Rebuttals and observations are not personal attacks or trolling.Calling someone a troll for countering your statement is both a personal attack and a cheap shot to take when you can't actually counter the argument because your vocabulary is limited to "dumbass" and "troll" and you think "ignorance" is an epithet.You didn't take my advice and actually look up those words at all, did you?

Protip: "Troll" does not mean: someone I disagree with or who has pointed out the obvious and ironic fallacies of my weak argument to me.

I doubt it. That's why there are planned ops against specific targets.You might want to find out a little more about Anon before exposing your lack of knowledge if all you think they are is "we r leejon" children and you think of their long list of accomplishments as "random vandalism".

ogfagala wrote:

Sounds like this guy had a fun time reinstalling Windows and changing all his passwords.

What guy? Did you read the article at all, or did you just jump into the comments to attack anon?

"handful of Anons" ... yeesh, I'd say it's likely more than a handful affected from the number of views and tweets and how long it was up. Minions only, sure, but...

"After modifying the Slowloris source" - from the Symantec analysis, only the link in the guidelines was modified.

According to the analysis, the C&C isn't just harvesting the standard Zeus stuff - it's also being used to force participation in DDoS attacks even if the machine's owner forgets... it's obviously a targeted attack with a purpose. Curious what that purpose is.

You might want to find out a little more about Anon before exposing your lack of knowledge if all you think they are is "we r leejon" children and you think of their long list of accomplishments as "random vandalism".

No, I think he and the rest of us are more than knowledgeable about what Anonymous is, and I think "we r leejon" children more or less sums it up nicely.

They're basically mad at the world for trying to stop them from pirating movies and music all day. Their "activisim" consists of script kiddie attacks against weak targets that often have nothing to do with the supposed goal. They have little to no actual useful knowledge of computers beyond trojan horse programs like LOIC.

The truly skilled hackers are all laughing their asses off at them and happily letting them blunder around to take the blame for these smokescreen jobs.

Or you could continue to fantasize about what you wish Anonymous was if that's what you want.